I’m trying to use the following Conjur parameters for Kubernetes but I’m not sure if they are correct:
CONJUR_APPLIANCE_URL=https://conjur.myorg.com:32149
elsewhere I saw a format like this: https://<conjur-service-name>.<conjur-namespace-name>.svc.cluster.local
CONJUR_AUTHN_URL=https://conjur.myorg.com:32149/authn-k8s/sidecar
elsewhere I saw a format like this: https://<conjur-service-name>.<conjur-namespace-name>.svc.cluster.local/authn-k8s/<authenticator-id>
I really like the way the required parameters are broken out in the Secretless documentation, so I often refer back to that page to get these values.
In general, if your Conjur service is running in Kubernetes (and has an associated K8s service resource defined) then you can define:
env var
description
value
CONJUR_APPLIANCE_URL
The URL of the Conjur service API endpoint reachable from within the cluster.
For most Kubernetes clusters, the endpoint follows this pattern: https://[Conjur Service Name].[Conjur Namespace].svc.cluster.local/
CONJUR_AUTHN_URL
This is the authentication endpoint for the specific authenticator your app should be using.
If your authenticator name is $AUTHENTICATOR_NAME, then the value of this variable has the form: $CONJUR_APPLIANCE_URL/authn-k8s/$URLENCODED_AUTHENTICATOR_NAME where URLENCODED_AUTHENTICATOR_NAME is the url-encoded version of AUTHENTICATOR_NAME.
CONJUR_AUTHN_LOGIN
The Conjur host identity your app should be authenticating as.
The specific value will depend on how you’ve set up your authn-k8s policy; an example is if you’ve chosen to use service account-scoped identities, then a common configuration has the host set to host/conjur/authn-k8s/AUTHENTICATOR_NAME/apps/APP_NAMESPACE/service_account/APP_SERVICE_ACCOUNT where your app is defined in the conjur/authn-k8s/AUTHENTICATOR_NAME/apps/ policy branch and is going to be deployed to the APP_NAMESPACE K8s namespace with a service account named APP_SERVICE_ACCOUNT.
I hope this is helpful, but please feel free to follow up if you have further questions. For example, my answer for the CONJUR_AUTHN_LOGIN parameter can be made more specific if you share more details about the policy you’re using to define your Kubernetes authenticator.